Distinguishing prime numbers from composite numbers: the state of the art. D. J. Bernstein University of Illinois at Chicago

Transcription

1 Distinguishing prime numbers from composite numbers: the state of the art D. J. Bernstein University of Illinois at Chicago

2 Is it easy to determine whether a given integer is prime? If easy means computable : Yes, of course. If easy means computable in polynomial time : Yes. (2002 Agrawal/Kayal/Saxena) If easy means computable in essentially cubic time : Conjecturally yes! See Williams talk tomorrow.

3 What about quadratic time? What about linear time? What if we want to determine with proof whether a given integer is prime? Can results be verified faster than they re computed? What if we want proven bounds on time? Does randomness help?

4 Cost measure for this talk: time on a serial computer. Beyond scope of this talk: use Ì cost measure to see communication, parallelism. Helpful subroutines: Can compute -bit product, quotient, gcd in time 1+Ó(1). (1963 Toom; 1966 Cook; 1971 Knuth) Beyond scope of this talk: time analyses more precise than constant+ó(1).

5 Compositeness proofs If Ò is prime and Û ¾ Z then Û Ò Û ¾ ÒZ so Ò is Û-sprp : the easy difference-of-squares factorization of Û Ò Û, depending on ord 2 (Ò 1), has at least one factor in ÒZ. e.g.: If Ò ¾ 5 + 8Z is prime and Û ¾ Z then Û ¾ ÒZ or Û (Ò 1) ¾ ÒZ or Û (Ò 1) ¾ ÒZ or Û (Ò 1) 4 1 ¾ ÒZ.

6 Given Ò 2: Try random Û. If Ò is not Û-sprp, have proven Ò composite. Otherwise keep trying. Given composite Ò, this algorithm eventually finds compositeness certificate Û. Each Û has 75% chance. Random time 2+Ó(1) to find certificate if Ò 2. Deterministic time 2+Ó(1) to verify certificate. Open: Is there a compositeness certificate findable in time Ç(1), verifiable in time 1+Ó(1)?

7 Given prime Ò, this algorithm loops forever. After many Û s we are confident that Ò is prime but we don t have a proof. Challenge to number theorists: Prove Ò prime! Side issue: Do users care? Paranoid bankers: Yes, we demand primality proofs. Competent cryptographers: No, but we have other uses for the underlying tools.

8 Combinatorial primality proofs If there are many elements of a particular subgroup of a prime cyclotomic extension of Z Ò then Ò is a power of a prime. (2002 Agrawal/Kayal/Saxena) Many primes Ö have prime divisors of Ö 1 above Ö 2 3 (1985 Fouvry). Deduce that AKS algorithm takes time 12+Ó(1) to prove primality of Ò. Algorithm is conjectured to take time 6+Ó(1).

9 Variant using arbitrary cyclotomic extensions takes time 8+Ó(1). (2002 Lenstra) Variant with better bound on group structure takes time 7 5+Ó(1). (2002 Macaj; same idea without credit in 2003 revision of AKS paper) These variants are conjectured to take time 6+Ó(1). Variant using Gaussian periods is proven to take time 6+Ó(1). (2004 Lenstra/Pomerance)

10 What if Ò is composite? Output of these algorithms is a compositeness proof. Time 4+Ó(1) to verify proof. Time 6+Ó(1) to find proof. For comparison, traditional sprp compositeness proofs: verify proof, 2+Ó(1) ; find proof, random 2+Ó(1). For comparison, factorization: verify proof, 1+Ó(1) ; find proof, conjectured ( Ó(1))( lg )1 3.

11 Benefit from randomness? Use random Kummer extensions; twist. ( Bernstein, and independently Mihăilescu/Avanzi; 2-power-degree case: Berrizbeitia; prime-degree case: Cheng) Many divisors of Ò 1983 Odlyzko/Pomerance). Deduce: time 4+Ó(1) 1 (overkill: to verify primality certificate. Random time 2+Ó(1) to find certificate.

12 Open: Primality proof with proven deterministic time 5+Ó(1) to find, verify? Open: Primality proof with proven random time 3+Ó(1) to find, verify? Open: Primality proof with reasonably conjectured time 3+Ó(1) to find, verify?

13 Prime-order primality proofs If Û Ò 1 = 1 in Z Ò, and Ò 1 has a prime divisor Õ Ô Ò with Û (Ò 1) Õ 1 in (Z Ò), then Ò is prime. (1876 Lucas, 1914 Pocklington, 1927 Lehmer) Many generalizations. Can extend Z Ò. (1876 Lucas, 1930 Lehmer, 1975 Morrison, 1975 Selfridge/Wunderlich, 1975 Brillhart/Lehmer/Selfridge, 1976 Williams/Judd, 1983 Adleman/Pomerance/Rumely)

14 Can prove arbitrary primes. Proofs are fast to verify but often very slow to find. Replace unit group by random elliptic-curve group. (1986 Goldwasser/Kilian; point counting: 1985 Schoof) Use complex-multiplication curves; faster point counting. (1988 Atkin; special cases: 1985 Bosma, 1986 Chudnovsky/Chudnovsky) Merge square-root computations. (1990 Shallit)

15 Culmination of these ideas is fast elliptic-curve primality proving (FastECPP): Conjectured time 4+Ó(1) to find certificate proving primality of Ò. Proven deterministic time 3+Ó(1) to verify certificate. For comparison, combinatorics: proven random 2+Ó(1) to find, 4+Ó(1) to verify.

16 Variant using genus-2 hyperelliptic curves: Proven random time Ç(1) to find certificate proving primality of Ò. (1992 Adleman/Huang) Tools in proof: bounds on size of Jacobian (1948 Weil); many primes in interval of width Ü 3 4 around Ü (1979 Iwaniec/Jutila). Proven deterministic time 3+Ó(1) to verify certificate.

17 Variant using elliptic curves with large power-of-2 factors (1987 Pomerance): Proven existence of certificate proving primality of Ò. Proven deterministic time 2+Ó(1) to verify certificate. Open: Is there a primality certificate findable in time Ç(1), verifiable in time 2+Ó(1)? Open: Is there a primality certificate verifiable in time 1+Ó(1)?

18 Verifying elliptic-curve proofs Main theorem in a nutshell: If an elliptic curve (Z Ò) has a point of prime order Õ ( Ò ) 2 then Ò is prime. Proof in a nutshell: If Ô is a prime divisor of Ò then the same point mod Ô has order Õ in (F Ô ), but # (F Ô ) ( Ô Ô + 1) 2 (Hasse 1936), so Ò 1 2 Ô.

19 More concretely: Given odd integer Ò 2, ¾ , integer, gcd Ò = 1, gcd Ò 2 4 = 1, prime Õ ( Ò ) 2 : Define Ü1 =, Þ1 = 1, Ü2 = (Ü 2 Þ2 )2, Þ2 = 4Ü Þ (Ü 2 + Ü Þ + Þ 2 ), Ü2 +1 = 4(Ü Ü +1 Þ Þ +1 ) 2, Þ2 +1 = 4(Ü Þ +1 Þ Ü +1 ) 2. If Þ Õ ¾ ÒZ then Ò is prime.

20 For each prime Ô dividing Ò: ( 2 4)( ) = 0 in F Ô, so ( )Ý 2 = Ü 3 + Ü 2 + Ü is an elliptic curve over F Ô ; ( 1) is a point on curve. On curve: ( 1) = (Ü Þ ) generically. (1987 Montgomery) Analyze exceptional cases, show Õ( 1) = ½. (2006 Bernstein) Many previous ECPP variants. Trickier recursions, typically testing coprimality.

21 Finding elliptic-curve proofs To prove primality of Ò: Choose random. Compute # (Z Ò) by Schoof s algorithm. Compute Õ = # (Z Ò) 2. If Õ doesn t seem prime, try new. If Õ Ò or Õ ( Ò ) 2 : Ò is small; easy base case. Otherwise: Recursively prove primality of Õ. Choose random point È on. If 2È = ½, try another È. Now 2È has prime order Õ.

22 Schoof s algorithm: time 5+Ó(1). Conjecturally find prime Õ after 1+Ó(1) curves on average. Reduce number of curves by allowing smaller ratios Õ # (Z Ò). Recursion involves 1+Ó(1) levels. Reduce number of levels by allowing and demanding smaller ratios Õ # (Z Ò). Overall time 7+Ó(1).

23 Faster way to generate curves with known number of points: generate curves with small-discriminant complex multiplication (CM). Reduces conjectured time to 5+Ó(1). With more work: 4+Ó(1). CM has applications beyond primality proofs: e.g., can generate CM curves with low embedding degree for pairing-based cryptography.

24 Complex multiplication Consider positive squarefree integers ¾ 3 + 4Z. (Can allow some other s too.) If prime Ò equals (Ù 2 + Ú 2 ) 4 then CM with discriminant produces curves over Z Ò with Ò + 1 Ù points. Assuming 2+Ó(1) : Time 2 5+Ó(1). Fancier algorithms: 2+Ó(1).

25 First step: Find all vectors ( ) ¾ Z 3 with gcd = 1, = 2 4,, and 0 µ. How? Try Ô each integer Ô between 3 and 3. Find all small factors of 2 Ô +. Find all factors 3. For each ( ), find and check conditions.

26 Second step: For each ( ) compute to high precision ( 2 + Ô 2 ) ¾ C. Some wacky standard notations: Õ(Þ) = exp(2 Þ). 24 = Õ 1 + 1( È 1) (3 Õ 1) 2 + È 1( 1) Õ (3 +1) (Þ) = 24 (Þ 2) 24 (Þ). = ( )

27 How much precision is needed? Answer: 1+Ó(1) bits; 0 5+Ó(1) terms in sum; 1+Ó(1) inputs ( ); total time 2 5+Ó(1). Don t need explicit upper bound on error. Start with low precision; obtain interval around answer; if precision is too small, later steps will notice that interval is too large, so retry with double precision.

28 Third step: Compute product À ¾ C[Ü] of Ü ( 2 + Ô over all ( ). 2 ) Amazing fact: À ¾ Z[Ü]. The values are algebraic integers generating a class field. 1+Ó(1) factors. Time 2+Ó(1).

29 Fourth step: Find a root Ö of À in Z Ò. Easy since Ò is prime. Amazing fact: the curve Ý 2 = Ü 3 + (3Ü + 2)Ö (1728 Ö) has Ò Ù points for some (Ù Ú) with 4Ò = Ù 2 + Ú 2.

30 FastECPP using CM To prove primality of Ò: Choose Ý ¾ 1+Ó(1). For each odd prime Ô Ý, compute square root of Ô in quadratic extension of Z Ò. Also square root of 1. Each square root costs 2+Ó(1). Total time 3+Ó(1).

31 For each positive squarefree Ý-smooth ¾ 3 + 4Z below 2+Ó(1), compute square root of in quadratic extension of Z Ò. Each square root costs 1+Ó(1) : multiply square roots of primes. Total time 3+Ó(1).

32 For each having Ô ¾ Z Ò, find Ù Ú with 4Ò = Ù 2 + Ú 2, if possible. This can be done by a half-gcd computation. Each costs 1+Ó(1). Total time 3+Ó(1).

33 Conjecturally there are 1+Ó(1) choices of ( Ù Ú). Look for Ò + 1 Ù having form 2Õ where Õ is prime. More generally: remove small factors from Ò + 1 Ù; then look for primes. Each compositeness proof costs 2+Ó(1). Total time 3+Ó(1).

34 Conjecturally have several choices of ( Ù Ú Õ), when Ó(1) s are large enough. Use CM to construct curve with order divisible by Õ. Time 2 5+Ó(1) ; negligible. Problems can occur. Might have Ò Ù when Ò + 1 Ù was desired, or vice versa. Curve might not be isomorphic to curve of desired form Ý 2 = Ü 3 + Ü 2 + Ü. Can work around problems, or simply try next curve.

35 Recursively prove Õ prime. Deduce that Ò is prime. 1+Ó(1) levels of recursion. Total time 4+Ó(1). Verification time 3+Ó(1). Open: Can we quickly find ( Õ) with an elliptic curve (or another group scheme), Õ prime, Õ ¾ [Ò 0 6 Ò 0 9 ], and # (Z Ò) ¾ ÕZ?